Security Service

Note: This section describes the new Security Service that is based on the OMG Common Secure Interoperability v2 (CSIv2) specification. The older security APIs have been decrecated.

The Novell exteNd Messaging Platform's ORB provides support for the Common Secure Interoperability version 2.0 (CSIv2) OMG standard. This includes support for client authentication, Identity Assertion, and IIOP/SSL and TLS.

Additional security features include the ability of the ORB to listen only to a particular network interface on a multi-homed host, and provide support for doing access control using caller's IP Address.

CSIv2 Security POA Policy

The CSIv2 security policy can be used by the clients to specify the security attributes required by the objects implemented using a POA instance. The security attributes include secure transport info (addresses, cipher suites, etc.), username/password or public key based client authentication, and Identity Assertion.

Security Current

SecurityCurrent is a locality constrained initial object, that is used by the clients and servers to set/get SecurityContext's.

Authenticator and AuthCallback

The SecurityCurrent interface has get/set methods for Authenticator and AuthCallback. The AuthCallback is called on the client side when the object being invoked supports or requires SecurityContext (containing identity and/or Initial context tokens) but no such context has been set. The Authenticator, is called on the server side to validate the tokens sent by the clients.

Secure Bank Application

In this section we will show a sample program that demonstrates the various aspects of security support in the ORB.

Integrating with JDK 1.2 Security

This section defines the various ORB specific permissions that are enforced when running under Java 2. These permissions protect access to sensitive APIs like orb.shutdown.

All the examples can be run under Java 2 with Java Security Manager enabled. To run with the security manager make sure that the ORB is installed as a Java 2 extension and run the examples with the java.security.manager property pointing to the security.policy file.

Access Control

The ORB does not provide direct support for access control. The object implementation, or the POA Servant Manager can obtain the caller's identity using the SecurityCurrent object. It can then do the desired access control. It can also find out the IP address of the caller and do access control based on IP address.

A simple example of access control can be found in the Secure Bank Application where the AccountBalances object verifies that the caller identity is bankserver@bank before it hands out the AccountRecord for a given account.